Fix zizmor output: suppress 0 warnings, show details with location, run per-file

[Copilot]

Zizmor security scanner output was cluttered with "0 warnings" messages, lacked diagnostic details, and ran in batch at the end of compilation instead of per-file.

Changes

• Skip 0 warning display: Files with no findings produce no output
• Show detailed findings: Display severity, type, location (line/column), and description for each warning

  🌈 zizmor 2 warnings in ./.github/workflows/test.lock.yml
  ✗   - [Medium] excessive-permissions at line 7, column 5: overly broad permissions
  ✗   - [High] template-injection at line 12, column 24: template injection with untrusted input
  

• Run per-file: Execute zizmor immediately after each workflow compiles via new runZizmorOnFile() function
• Remove batch execution: Deleted runZizmor() and end-of-compilation scanning code
• Error formatting: Use console.FormatErrorMessage() for consistent error display with ✗ symbol

Implementation

pkg/cli/zizmor.go

• Enhanced zizmorFinding struct to capture desc, url, annotation, and location data (start_point with row/column)
• Modified parseAndDisplayZizmorOutput() to skip count == 0, extract location info, and display detailed findings with line/column numbers (1-based indexing) and descriptions
• Added runZizmorOnFile() for single-file scanning with Docker volume mount to git root
• Used console.FormatErrorMessage() for consistent error formatting

pkg/cli/compile_command.go

• Added runZizmorPerFile and strict parameters to validation functions
• Integrated zizmor execution into CompileWorkflowWithValidation() and CompileWorkflowDataWithValidation()
• Removed batch execution blocks (lines 306-337, 480-485)

pkg/cli/zizmor_test.go

• Updated test data with complete zizmor JSON structure including desc, url, and location information
• Updated expectations: no output for 0 warnings, detailed output with location and description for findings
• Verified error formatting with ✗ symbol prefix

pkg/cli/compile_integration_test.go

• Updated TestCompileWithZizmor to accept silent output for clean workflows

Original prompt

• do not show "🌈 zizmor 0 warnings" for 0 warnings.
• run zizmor and display the result as your run workflows, not all at the end
• display zizmor error and warnings to the console

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[pelikhan]

@copilot you need to show the file, line, column and error description for zizmor errors.

[Copilot]

@copilot you need to show the file, line, column and error description for zizmor errors.

Added detailed zizmor output showing file, line, column, and error description. The output now displays:

🌈 zizmor 2 warnings in ./.github/workflows/test.lock.yml
✗   - [Medium] excessive-permissions at line 7, column 5: overly broad permissions
✗   - [High] template-injection at line 12, column 24: template injection with untrusted input

Changes in commit f88d0d4:

• Enhanced struct to capture location (row/column) and description from zizmor JSON
• Display shows line number, column number (1-based), and human-readable description
• Used console.FormatErrorMessage for consistent error formatting with ✗ symbol

[github-actions]

Agentic Changeset Generator triggered by this pull request.

[Copilot]

Pull Request Overview

This PR refactors the zizmor security scanner integration to improve output clarity and execution timing. The changes suppress zero-warning messages, add detailed diagnostic information including location and severity, and execute zizmor per-file during compilation rather than in batch afterward.

Key changes:

• Suppresses "0 warnings" output for clean workflows
• Displays detailed findings with severity, type, line/column location, and descriptions
• Executes zizmor per-file during compilation instead of batch execution at the end

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
pkg/cli/zizmor.go	Enhanced zizmorFinding struct with location/description fields; refactored to runZizmorOnFile() for single-file scanning; updated output formatting to skip zero warnings and show detailed diagnostics
pkg/cli/compile_command.go	Integrated per-file zizmor execution into validation functions; removed batch execution code blocks
pkg/cli/zizmor_test.go	Updated test fixtures with complete zizmor JSON structure and verified new output format
pkg/cli/compile_integration_test.go	Updated test to accept silent output for workflows with no findings
pkg/cli/add_command.go	Updated function calls to match new signature with zizmor parameters

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The condition row > 0 || col > 0 will incorrectly omit location info when both row and column are 0, which is a valid location (first line, first column). The condition should be row >= 0 && col >= 0 or simply always format the location since negative values should not occur in valid zizmor output.

Suggested change

	if row > 0 || col > 0 {
	if row >= 0 && col >= 0 {

[Copilot]

[nitpick] The expression zizmor && !noEmit is duplicated in multiple calls (lines 252, 393). Consider extracting this into a named boolean variable like runZizmor := zizmor && !noEmit at the function start to improve readability and reduce duplication.